From 3c71c483e3e91d11fa83bfd751d2d8e54fdb4a20 Mon Sep 17 00:00:00 2001
From: Emilien Macchi <emilien@redhat.com>
Date: Wed, 7 Feb 2018 11:40:16 -0800
Subject: [PATCH] Remove neutron-managed firewall rules from
 /etc/sysconfig/iptables

See https://bugzilla.redhat.com/show_bug.cgi?id=1541528

We don't want IPtables rules managed by Neutron to be persistent, it can
cause issues when rule are recreated while a namespace doesn't exist.

This patch makes sure that in any Neutron node, no IPtables rule will be
persistent if it contains "neutron-" in the name.

Change-Id: Ife465c2c6739c3cbfb9923ed97f370baa745739c
Related-Bug: #1747960
---
 manifests/firewall.pp                         | 31 ++++++++++++++++++-
 .../neutron_iptables-9ea317c73b79929d.yaml    |  5 +++
 2 files changed, 35 insertions(+), 1 deletion(-)
 create mode 100644 releasenotes/notes/neutron_iptables-9ea317c73b79929d.yaml

diff --git a/manifests/firewall.pp b/manifests/firewall.pp
index b4d51d970..7a1c37b5e 100644
--- a/manifests/firewall.pp
+++ b/manifests/firewall.pp
@@ -103,6 +103,35 @@ class tripleo::firewall(
     #     action: accept
     $service_names = hiera('service_names', [])
     tripleo::firewall::service_rules { $service_names: }
-  }
 
+    # puppetlabs-firewall manages security rules via Puppet but make the rules
+    # consistent by default. Since Neutron also creates some rules, we don't
+    # want them to be consistent so we have to ensure that they're not stored
+    # into sysconfig.
+    # https://bugzilla.redhat.com/show_bug.cgi?id=1541528
+    # Also, we need to restart IPtables after the cleanup to make sure rules aren't persistent
+    # anymore.
+    exec { 'nonpersistent_v4_rules_cleanup':
+      command => '/bin/sed -i /neutron-/d /etc/sysconfig/iptables',
+      onlyif  => '/bin/test -f /etc/sysconfig/iptables && /bin/grep -v neutron- /etc/sysconfig/iptables',
+      notify  => Exec['restart_iptables'],
+    }
+    exec { 'restart_iptables':
+      command     => 'sudo service iptables restart',
+      path        => ['/usr/bin', '/usr/sbin', '/bin', '/sbin'],
+      refreshonly => true,
+    }
+    exec { 'nonpersistent_v6_rules_cleanup':
+      command => '/bin/sed -i /neutron-/d /etc/sysconfig/ip6tables',
+      onlyif  => '/bin/test -f /etc/sysconfig/ip6tables && /bin/grep -v neutron- /etc/sysconfig/ip6tables',
+      notify  => Exec['restart_ip6tables'],
+    }
+    exec { 'restart_ip6tables':
+      command     => 'sudo service ip6tables restart',
+      path        => ['/usr/bin', '/usr/sbin', '/bin', '/sbin'],
+      refreshonly => true,
+    }
+    Firewall<| |> -> Exec['nonpersistent_v4_rules_cleanup']
+    Firewall<| |> -> Exec['nonpersistent_v6_rules_cleanup']
+  }
 }
diff --git a/releasenotes/notes/neutron_iptables-9ea317c73b79929d.yaml b/releasenotes/notes/neutron_iptables-9ea317c73b79929d.yaml
new file mode 100644
index 000000000..d45ac41e6
--- /dev/null
+++ b/releasenotes/notes/neutron_iptables-9ea317c73b79929d.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    IPtables rules managed by Neutron won't be persistent on the host anymore.
+    Instead, they'll be removed (if exist) from /etc/sysconfig/iptables.